The fear is that the Australian government may use broad and opaque legal powers to force technology companies to undermine their own encryption, or in other cases, engineer new software to unlock encrypted data.

"When I travel to other countries I hear companies and governments say 'we are no longer comfortable putting our data in Australia', so they are asking us to build more data centers in other countries," says Smith, according to the broadcaster ABC. Smith was in Canberra on Wednesday.

Smith's comments reinforce the views of other technology companies that have said the law, which went into effect in December, has undermined trust in their local operations (see: Australia Passes Encryption-Busting Law).

According to the ABC, Smith says Microsoft has not yet changed its operations in Australia, but the law is causing concern.

"We will have to sort through those issues, but if I were an Australian who wanted to advance the Australian technology economy, I would want to address that and put the minds of other like-minded governments at ease," Smith says.

Government: Encryption Threatens Public Safety

As in the U.S. and U.K., Australian authorities have asserted that encrypted communications are hampering investigations, increasing the risks to public safety. End-to-end encryption is implemented in messaging systems such as Facebook's WhatsApp, Signal, Wickr and Apple's iMessage.

The decryption keys are only held on the end-user devices, which means, in theory, that law enforcement would need unlocked devices in hand for a chance at recovering unencrypted messages.

The New York Times reported in January that Facebook is considering implementing end-to-end encryption in its Messenger product and within Instagram, covering two of the most popular software services on mobile devices.

"When I travel to other countries, I hear companies and governments say 'we are no longer comfortable putting our data in Australia', so they are asking us to build more data centers in other countries."—Brad Smith, Microsoft

Known as the Assistance and Access Bill 2018, the law gives the Australian government new tools to pressure technology companies into aiding investigations into terrorism and organized crime.

Under the law, an organization can be served with a technical assistance request, which asks for voluntary cooperation. The next level is a technical assistance notice, which compels an organization to decrypt content if technically feasible. The most concerning potential action is a technical assistance notice, which could force a company to engineer a way around encryption or otherwise subvert it.

The government maintained that the law would not compel software companies to install backdoor or systemic weaknesses that would undermine the security of all users. Encryption experts derided the claim, saying it's impossible to make software weaker for just select users.

Smith addressed the systemic weakness claim.

"There is this wonderful phrase about enabling companies to avoid creating a systemic weakness but that phrase is not defined," he said. "Until it is defined. I think people will worry, and we will be among those who will worry because we do feel it is vitally important we protect our customer's privacy."

Law Under Review

Australian technology companies maintain the law is generating anxiety among their clients, which, in turn, may hurt their businesses. It comes as Australia continues to nuture a homegrown cybersecurity industry, part of a national cybersecurity strategy launched in 2016.

Fastmail, an email provider, and Senatas, an encryption company, submitted sharp opinions to the Senate's Parliamentary Joint Committee on Intelligence and Security, which is studying the law. Both companies expressed concern over the impact, and the committee is due to release a report next week (see: Tech Industry Pushes for Australian Encryption Law Changes).

The Assistance and Access Bill 2018 was passed during a flurry of legislative horse trading on the last day of Parliament's session, Dec. 6. Due to the widespread opposition, the government committed to revisiting it, but maintained the legislation was needed to counter threats over the holiday season.

But the pass-it-first, fix-it-later approach to such a sensitive topic with economic and security consequences didn't sit well with many.

On Wednesday, Parliament announced that the Independent National Security Legislation Monitor, which reviews national security laws, would conduct an inquiry. But the review won't be complete until 2020.

In the meantime, companies have expressed concern that their employees could be targeted by national security orders to undermine their software. Those who disclose orders could face criminal penalties, making whistleblowing about potential abuse risky.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.